Enhancing cyber resilience in electricity systems

Digitalisation offers many benefits both for electricity systems and clean energy transitions. At the same time, the rapid growth of connected energy resources and devices is expanding the potential cyberattack surface, while increased connectivity and automation throughout the system are raising cybersecurity risks.

The threat of cyberattacks on electricity systems is substantial and growing. Threat actors are becoming increasingly sophisticated at carrying out attacks. A successful cyberattack could trigger the loss of control over devices and processes, in turn causing physical damage and widespread service disruption.

While the full prevention of cyberattacks is not possible, electricity systems can become more cyber resilient – to withstand, adapt to and rapidly recover from incidents and attacks, while preserving the continuity of critical infrastructure operations. Policy makers, regulators, utilities and equipment providers have key roles to play in ensuring the cyber resilience of the entire electricity value chain.

Policy makers are central to enhancing the cyber resilience of electricity systems, beginning with raising awareness and working with stakeholders to continuously identify, manage and communicate emerging vulnerabilities and risks. Policy makers are also ideally placed to facilitate partnerships and sector-wide collaboration, develop information exchange programmes and support research initiatives across the electricity sector and beyond. Ecosystem-wide collaboration can help to improve understanding of the risks that each stakeholder poses to the ecosystem and vice-versa.

Information sharing can enhance cyber resilience across the system for all electricity sector stakeholders. Stakeholders should be encouraged to share information on vulnerabilities and actual incidents, be transparent on implemented policies, and share information and best practices at national and international levels.

A wealth of existing risk management tools, security frameworks, technical measures and self-assessment approaches are available. Policy makers and industry need to apply what is relevant in their context and approach resilience as a continuous process rather than a one-time milestone. Policy makers and the industry should both commit to an approach based on ongoing collaborative dialogue.

Governments around the world can enhance cyber resilience through a range of policy and regulatory approaches, ranging from highly prescriptive approaches to framework-oriented, performance-based approaches. Approaches that are more prescriptive have the advantage of allowing for more streamlined compliance monitoring, but they could face challenges in keeping pace with evolving cyber risks. Less prescriptive, framework-based approaches allow for different approaches and implementation speeds across jurisdictions, but they raise questions around how to establish a coherent and robust cross-country approach to cybersecurity with tangible and effective impact. Implementation strategies should be tailored to national contexts while considering the global nature of risks.

Cyber resilience policies need continuous review and adaptation. Further decentralisation and digitalisation of the electricity sector – especially at the distribution level (smart meters, connected consumer devices) – shifts the risk exposure to the grid edge. Effective policies need to look beyond bulk utilities and consider the entire electricity chain, including supply chains.

Supply chain security is an international issue. To demonstrate security preparedness, certification or other similar mechanisms based upon existing international standards need to be institutionalised and interoperable at the global level, where deemed appropriate. 

Many countries and companies are developing and implementing policies and strategies to enhance the cyber resilience of their electricity systems. While differing contexts require tailored approaches, several overarching action areas can serve as the basis for achieving more appropriate electricity security frameworks for the future. These are: institutionalising responsibilities and incentives; identifying risks; managing and mitigating risks; monitoring progress; and responding to and recovering from disruptions.

Institutionalise

Policy makers need to set appropriate responsibilities and incentives for relevant organisations within their jurisdiction.

• Policy makers: designate responsible authorities to set objectives, give direction on measures and assess their implementation.
• Policy makers and regulators: implement co‑ordination mechanisms between responsible authorities (both within and outside the electricity sector) to avoid conflicts between various regulatory levels.
• Policy makers and regulators: incentivise or oblige regulated and non-regulated entities to implement cybersecurity safeguards. Measures should aim to improve outcomes, rather than relying only on compliance-based processes that risk becoming a box-ticking exercise. The level of enforcement needs to relate to how critical the organisation is to wider system reliability. Positive incentives need to be considered to foster transparency, co‑operation and co‑ordination.
• Policy makers, regulators and industry: increase the level of awareness of the need for cyber resilience across the sector, including in electricity-related agencies and authorities.

Identify risks

Policy makers need to ensure that operators of critical electricity infrastructure identify, assess and communicate critical risks.

• Policy makers and regulators: ensure designated organisations regularly conduct system-level risk analyses to identify key threat scenarios and system vulnerabilities.
• Utilities and operators: identify and classify assets, systems and interfaces according to their risk level (likelihood and impact) and assign security measures according to level of system risk.
• Policy makers and industry: facilitate public-private cyber risk information sharing.

Manage and mitigate risk

Policy makers and industry have to collaborate to improve readiness across the entire electricity system-value chain.

• Policy makers and industry: provide accessible tools and guidance on cyber resilience best practices.
• Utilities: implement proper risk management strategies to identify capabilities and risks of their systems from both information technology (IT) and operational technology (OT) perspectives. Establishing a clear risk management strategy can help prioritise areas of work and investment decisions to maximise benefits.
• Policy makers, standards bodies, industry and researchers: develop facilities to test and validate effective implementation of cybersecurity measures and controls.
• Policy makers and standards bodies: consider certification of products and services by carefully analysing criticality, enforcement options and market impact.
• Policy makers and industry: develop capacity building for cybersecurity to ensure skills and resources evolve appropriately. This involves achieving buy-in and a basic understanding across the entire organisation. Mandatory training and certification of critical staff should be considered.

Monitor progress

Policy makers need to ensure mechanisms and tools are in place to evaluate and monitor risks and preparedness, and track progress over time. This is important at the operational level for individual utilities, as well as at the level of policy makers and regulatory authorities who need to understand if strategic objectives are met.

• Policy makers and regulators: develop or provide mechanisms and tools to continuously monitor preparedness.
• Policy makers and regulators: develop mechanisms to monitor and build knowledge around emerging threats. This is an area where partnerships and communication with the intelligence community is essential.
• Policy makers, the intelligence community and industry: develop and support active threat hunting and cyberthreat intelligence mechanisms to prevent or limit the damage from high-end attacks.
• Equipment providers and utilities: conduct active monitoring of the supply chain to detect vulnerabilities.
• Policy makers and industry: develop mechanisms to share incident reports and other information.

Respond and recover

Resilience must go beyond preventing incidents to include effectively coping with attacks. Policy makers need to enhance the response and recovery mechanisms of electricity sector stakeholders.

• Utilities: implement robust response and recovery procedures that help maintain operations in the event of a cyberattack, with clearly allocated responsibilities to all main stakeholders.
• Policy makers and utilities: execute regular response exercises and capture lessons learned and adapt practices.
• Policy makers, regulators and industry: stimulate information logging and sharing to facilitate analysis of actual incidents.

Electricity systems – particularly network operations – are becoming increasingly digitalised, bringing many benefits to electricity consumers, utilities and the system as a whole (IEA, 2017). However, the growth in connected devices and distributed energy resources is expanding the potential cyberattack surface of electricity systems, raising cyber risks. The nature of these cyber risks is also changing as a result of increasing connectivity and automation, a shift to cloud computing and the replacement of sector-specific IT with open-protocol standards.

The electricity system is interconnected with all other critical infrastructure and services. Cyberattacks on electricity systems are therefore a critical threat to every aspect of modern societies. Policy makers, regulators, system operators and industry across the electricity value chain all have important roles to play in enhancing the cyber resilience of the system.

The following pages offer practical guidance to energy policy makers and other stakeholders on increasing the cyber resilience of electricity systems. Using real-world examples, this report aims to address the following questions:

• What are the greatest cybersecurity risks to electricity systems today? How are they evolving?
• What strategies and actions can electric utilities and other key stakeholders develop and implement to identify and manage cyber risks and recover from attacks? What sector-specific characteristics need to be considered when tailoring general cyber resilience principles and measures to the electricity system?
• How can collaboration between stakeholders help to maximise effectiveness and optimise efforts? How can responsibility best be assigned and shared?
• How can policy makers and other industry organisations encourage a more proactive integrated risk management approach?
• What are the lessons to be learned from different jurisdictions’ regulatory approaches to cybersecurity in the electricity sector? Which approaches have so far proven to be most effective, and how can effectiveness be measured in advance of actual incidents and failures?

Various terms and concepts are introduced and discussed in this chapter. The following table defines some of the principal terms used. This report uses the “cyber” prefix to discuss digital security and resilience issues related to intentional and malicious attacks and incidents on the electricity system (e.g. cybersecurity, cyber resilience, cyberattack, cyber risk). The report does not cover unintentional incidents or broader digital security issues such as data privacy. The intent of this report is to provide broad guidance to energy policy makers and companies to enhance resilience in the electricity sector, and does not go into technical details or cover national security issues.

The fundamental principles of cyber resilience, such as embedding a culture of cyber hygiene and implementing risk management strategies, are generally applicable across all sectors and industries. However, the application of these principles needs to be tailored to account for sector-specific characteristics and needs. In the electricity sector, these include:

• Real-time requirements for and expectations of very high availability.
• Interdependencies and cascading effects within and across systems.
• A mix of new technologies and legacy assets with long lifetimes.

Electricity systems operate in real time, prioritising availability and reliability above all. Electricity industrial control systems must react within fractions of a second, thus requiring cybersecurity procedures like authentication to operate seamlessly and to support the underlying industrial control system functions. The real-time nature of electricity also means that common cybersecurity operations, such as installing patches and rebooting, are more complex compared to the same operation performed on less critical environments, which are easier to take out of operation temporarily.

Electricity systems are also prone to cascading effects across both digital and electrical systems. As utilities increasingly interconnect their systems for the sharing of operational and planning information, an attack could cascade across their digital networks. In addition, if the operation of an electrical network depends on IT located in another network region, an outage there could spill over because of the outage of the IT systems. As with most electricity security risks, a single incident can also cascade across the wider electricity network, causing large-scale outages.

The impacts of an outage can then also affect other critical services that depend on electricity. For example, an insurance company has estimated that an extreme but unlikely scenario of a malware attack on power plants in the northeastern United States could cause economic losses of around USD 250 billion as a result of impacts. These would include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to supply chains (Lloyd’s & University of Cambridge Centre for Risk Studies, 2015). Cyberattacks on London’s electricity grid could cost GBP 21 to 111 million a day (Oughton et al., 2019).

The majority of electricity infrastructure – such as power plants and transmission and distribution systems – have long operational lifetimes, often lasting over fifty years. This means that most electricity systems today include a mix of recent highly digitalised technologies and analogue legacy assets deployed decades earlier. Older, unprotected OT was often designed without the intent of connecting to networks (i.e. they were “air-gapped”), but are being increasingly adapted and connected to IT networks through standardised protocols and additional interface devices. Without adequate security measures and integrated cyber resilience approaches, these connections risk introducing new vulnerabilities to the system.

Cybersecurity experts believe that there are three necessary conditions for a major cyberattack: opportunity, capability and motivation (Madnick, 2020). To date, disruptions to electricity caused by cyberattacks have been limited. As the opportunity to attack (i.e. existing unresolved vulnerabilities) and the capability of attackers continues to grow, it is clear that electricity system stakeholders must continue to be well prepared and resilient. For countries around the world, cyber resilience of the electricity system is becoming a matter of national security.

While full prevention of cyberattacks is not possible, electricity systems can become more cyber resilient to attacks – by designing them in a way to withstand shocks and be able to quickly absorb, recover or adapt, while preserving the continuity of critical infrastructure operations, or a large part of it. The capacity to adapt to new technologies, as well as to new risks and threats, is key.

However, the uncertainty and the evolving nature of cyberthreats make it difficult to justify large expenditure on staff, tools or cyber insurance policies.1 For industry, cyber risks should be integrated across all departments (e.g. operations, procurement or innovation) and reported with other business-critical risks. Establishing a cyber-resilient culture and strategy are key – beginning with ensuring that cybersecurity efforts are not confined to the IT department or the “cyber risk board”.

Policy makers and regulators have an important role to play in encouraging cyber resilience efforts. Regulatory requirements can help to ensure that minimum necessary investments are made, for example, adding cybersecurity criteria to the rate base for regulated electricity grid operators, or qualification criteria to stakeholders participating in the market or connecting directly to the grid. However, compliance with regulatory standards does not, on its own, guarantee that infrastructure will be or will remain completely secure and resilient. In general, regulatory standards, due to the decision-making processes and the need for stable and inclusive governance, may struggle to keep up with rapid technological change and emerging vulnerabilities.

Cyber resilience efforts require action in other related sectors such as telecommunications and manufacturing as well, complicating the regulatory oversight process. Cyber resilience in the electricity sector should be considered within the broader context of enhancing resilience across all critical infrastructure and services, including water, transport, communication networks, health and finance.

Governments, utilities and other stakeholders across the electricity value chain need to be proactive in finding solutions that can adapt to evolving cyberthreats. An ongoing commitment to co‑operation and collaboration will be necessary.

International co‑operation is particularly important due to the global and instant nature of the internet – an attack against a particular asset can rapidly spread across the world. International organisations and policy makers play a key role in fostering collaboration at the international level. This should include collaboration across all relevant stakeholder groups, from senior policy makers and regulators, to individual utilities and suppliers of electricity and equipment.